At Hyperledger, we are committed to a trust-but-verify security philosophy for our open source projects. We trust the engineering, change management, and risk reduction processes we use in our software supply chain to greatly reduce the risk of security flaws in the finished product. But to verify that is the case, we are organizing outside, independent security audits of the projects as they reach their 1.0 milestone. In addition to code audits, we also conduct regular crypto audits to comply with the US government regulations on the exportation of strong cryptography. Lastly we also run regular license audits to make sure that all of the code in our projects is properly licensed.
After our projects reach 1.0 status, the policy for when we do another outside audit of a project is based on a few factors. The primary factor is code "churn"–the amount of code that has changed since the last audit. The secondary factor is major architectural changes (e.g. changing cryptography library implementations). When enough code has changed and/or architectural rework has happened, Hyperledger will invest money into having a follow up audit done to once again establish a baseline for project security.
Hyperledger Besu joined Hyperledger as a project in the fall of 2019 and with their first major release a security audit was conducted. Below is the report from that audit.
Hyperledger Composer reached their 1.0 milestone early in 2018. Nettitude conducted the security audit of the source code and all issues found have been resolved.
Hyperledger Fabric was the first project to reach the 1.0 milestone. We hired WP Hacked Help to conduct a web security audit of the source code and to work closely with the developers to fix any issues that they found. The audit results were announced in a Hyperledger blog post.
Hyperledger Iroha is fast approaching their 1.0 milestone. Nettitude conducted the security audit of the source code and all issues found have been resolved. The audit results were announce in a Hyperledger blog post.
Hyperledger Indy reached their 1.0 milestone late in 2018. Nettitude conducted the security audit of the source code and all issues found have been resolved.
Hyperledger Sawtooth reached 1.0 in the Spring of 2018. Nettitude conducted the security audit of the code base and all reported issues have been addressed. The audit results were announced in a Hyperledger blog post.